c42605ae4e6fccd76450fc73f480f04c9ec2c103122e8211f48daabbf9ac689c

Analysis

max time kernel
135s
max time network
136s
platform
windows7_x64
resource
win7v20201028
submitted
05-11-2020 07:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe
Size

2.2MB
MD5

aa94f1a2abab96f5bd41a84a37e2784b
SHA1

a8df73a1c902839b456e3d9ada25b53ab95436df
SHA256

ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d
SHA512

0287f6ed3cc3bb66789b8929ba45bf6e8ed70c31b8096d36bcdb93ab3d3c0a06aa41987d749eb1db55126b234a3ed468074f9e5ed7bac98f87829f8c4eed13d4

Score

8^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

DjvuApp.exeDjvuApp.exe

pid process

1764 DjvuApp.exe
1216 DjvuApp.exe

pid	process
1764	DjvuApp.exe
1216	DjvuApp.exe

Loads dropped DLL 7 IoCs

Processes:

ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe

pid	process
344	ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe
344	ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe
344	ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe
1260
1260
1260
1260

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

DjvuApp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\DjvuApp = "\"C:\\Users\\Admin\\AppData\\Roaming\\DjvuApp\\DjvuApp.exe\""	DjvuApp.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe

pid	process
344	ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe
344	ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe
344	ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe
344	ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe
344	ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe
344	ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe

description	pid	process	target process
PID 344 wrote to memory of 1764	344	ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe	DjvuApp.exe
PID 344 wrote to memory of 1764	344	ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe	DjvuApp.exe
PID 344 wrote to memory of 1764	344	ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe	DjvuApp.exe
PID 344 wrote to memory of 1764	344	ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe	DjvuApp.exe
PID 344 wrote to memory of 1216	344	ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe	DjvuApp.exe
PID 344 wrote to memory of 1216	344	ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe	DjvuApp.exe
PID 344 wrote to memory of 1216	344	ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe	DjvuApp.exe
PID 344 wrote to memory of 1216	344	ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe	DjvuApp.exe

C:\Users\Admin\AppData\Local\Temp\ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe
"C:\Users\Admin\AppData\Local\Temp\ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:344

C:\Users\Admin\AppData\Roaming\DjvuApp\DjvuApp.exe
"C:\Users\Admin\AppData\Roaming\DjvuApp\DjvuApp.exe" "first_run" "C:\Users\Admin\AppData\Local\Temp\ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1764

C:\Users\Admin\AppData\Roaming\DjvuApp\DjvuApp.exe
"C:\Users\Admin\AppData\Roaming\DjvuApp\DjvuApp.exe" "write_patch_str_to_reg" "C:\Users\Admin\AppData\Local\Temp\ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe" "HKCU" "Software\DjvuApp" "intesq"
2⤵
- Executes dropped EXE
PID:1216

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\DjvuApp\DjvuApp.exe
MD5
c23306cf36744a780fef171015d541d8

SHA1
f70ef0d7124d369dd67a9846a0f8ae3751ab66cd

SHA256
1916cd0a0d64136e443bcd120fd2f003a9fde313c7925ff363f2625030e270bc

SHA512
4a61c15809e185ed0e1a39ee436e90b1ed715bcb0aca1e23d20eb5b9a282efcae216a6ef7ef554177a95a6ff7cb307bd1c64c2ccef098a9b0667bfbbecdad67e

Download Submit
C:\Users\Admin\AppData\Roaming\DjvuApp\DjvuApp.exe
MD5
c23306cf36744a780fef171015d541d8

SHA1
f70ef0d7124d369dd67a9846a0f8ae3751ab66cd

SHA256
1916cd0a0d64136e443bcd120fd2f003a9fde313c7925ff363f2625030e270bc

SHA512
4a61c15809e185ed0e1a39ee436e90b1ed715bcb0aca1e23d20eb5b9a282efcae216a6ef7ef554177a95a6ff7cb307bd1c64c2ccef098a9b0667bfbbecdad67e

Download Submit
\Users\Admin\AppData\Local\Temp\nsc2981.tmp\nsProcess.dll
MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
\Users\Admin\AppData\Roaming\DjvuApp\DjvuApp.exe
MD5
c23306cf36744a780fef171015d541d8

SHA1
f70ef0d7124d369dd67a9846a0f8ae3751ab66cd

SHA256
1916cd0a0d64136e443bcd120fd2f003a9fde313c7925ff363f2625030e270bc

SHA512
4a61c15809e185ed0e1a39ee436e90b1ed715bcb0aca1e23d20eb5b9a282efcae216a6ef7ef554177a95a6ff7cb307bd1c64c2ccef098a9b0667bfbbecdad67e

Download Submit
\Users\Admin\AppData\Roaming\DjvuApp\DjvuApp\WinDjView.exe
MD5
89cda5298a56faae6ef3f7d9b4979330

SHA1
4504e49782c88e2fc66be1e13ae89c3a31ca15d4

SHA256
d1049efef77554446171ba94c69cee78bb6b0b9fdade3e1b5dc93468da6ce0c0

SHA512
a357bce85a299b3e45a3dff273a8f8477f86757c4ba876d494a5e95c4180f182c16ab75df6749e651a4c0abf2d01285796a80f7268bbbfa533b4b407b2361643

Download Submit
\Users\Admin\AppData\Roaming\DjvuApp\DjvuApp\WinDjView.exe
MD5
89cda5298a56faae6ef3f7d9b4979330

SHA1
4504e49782c88e2fc66be1e13ae89c3a31ca15d4

SHA256
d1049efef77554446171ba94c69cee78bb6b0b9fdade3e1b5dc93468da6ce0c0

SHA512
a357bce85a299b3e45a3dff273a8f8477f86757c4ba876d494a5e95c4180f182c16ab75df6749e651a4c0abf2d01285796a80f7268bbbfa533b4b407b2361643

Download Submit
\Users\Admin\AppData\Roaming\DjvuApp\DjvuApp\WinDjView.exe
MD5
89cda5298a56faae6ef3f7d9b4979330

SHA1
4504e49782c88e2fc66be1e13ae89c3a31ca15d4

SHA256
d1049efef77554446171ba94c69cee78bb6b0b9fdade3e1b5dc93468da6ce0c0

SHA512
a357bce85a299b3e45a3dff273a8f8477f86757c4ba876d494a5e95c4180f182c16ab75df6749e651a4c0abf2d01285796a80f7268bbbfa533b4b407b2361643

Download Submit
\Users\Admin\AppData\Roaming\DjvuApp\DjvuApp\WinDjView.exe
MD5
89cda5298a56faae6ef3f7d9b4979330

SHA1
4504e49782c88e2fc66be1e13ae89c3a31ca15d4

SHA256
d1049efef77554446171ba94c69cee78bb6b0b9fdade3e1b5dc93468da6ce0c0

SHA512
a357bce85a299b3e45a3dff273a8f8477f86757c4ba876d494a5e95c4180f182c16ab75df6749e651a4c0abf2d01285796a80f7268bbbfa533b4b407b2361643

Download Submit
\Users\Admin\AppData\Roaming\DjvuApp\DjvuApp\WinDjView.exe
MD5
89cda5298a56faae6ef3f7d9b4979330

SHA1
4504e49782c88e2fc66be1e13ae89c3a31ca15d4

SHA256
d1049efef77554446171ba94c69cee78bb6b0b9fdade3e1b5dc93468da6ce0c0

SHA512
a357bce85a299b3e45a3dff273a8f8477f86757c4ba876d494a5e95c4180f182c16ab75df6749e651a4c0abf2d01285796a80f7268bbbfa533b4b407b2361643

Download Submit
memory/1216-4-0x0000000000000000-mapping.dmp

Download
memory/1764-2-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads